Migrating WordPress From One Server To Another

KB ID 0001315 

Problem

I have to say before I start, that most of the credit for this article lies with Allen White from www.techieshelp.com. Who gave me the three most important pieces of information that you need to migrate your WordPress site. 

Three Things You Need;

  • The contents of your wp-content directory.
  • The contents of the root of your site.
  • A backup of your database, (this is a lot easier than you think).

Now there may be a couple of exceptions, for example, if your site runs https you might also need a copy of your certificates, and if you have any sub-folders in your site you will also need a copy of those folders as well.

Would it be easier to get an application or plugin to do this for me? Well I use UpdraftPlus and I also use BackWPup (both of which are free). But to be honest you just need access to the site from an FTP/SFTP client (I prefer FileZilla, again because it’s free), or you can simply use WinSCP, (again free).

Solution

Before You start: You need a WordPress server setup with a blank install of WordPress ready to accept your data. I’m not covering that in this article. This article is primarily to cover migrating your site contents. (Though watch this space, I’m going to post a full, WordPress install on LEMP article soon).

To make things simple, set the new database with the same name, username, and password, (get these from your live sites wp-config.php file).

I would also update your live site to the latest version of WordPress before you migrate, Or when you connect you may see a dialog about updating the database and have a bit of downtime.

Backup Your WordPress Data

First connect to your live website and download a copy of your ‘wp-content’ folder;

Note: The more eagle eyed among you will notice I’ve got an ‘extra’ folder in my site, called ‘KB’  that folder will also need downloading.

Now download ALL the files in the root of your website.

Now to get a copy of your database, you will need to know what it’s called, if you have forgotten, open your wp-config.php file (it’s in the root of your website,) with a text editor, and look for the following;

[box]

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'NAME-OF-YOUR-DATABASE');

[/box]

You will also need the root password for your SQL installation, it will be blank unless you have changed it when you installed MySQL or MariaDB, (by running ‘sudo mysql_secure_installation‘).

Connect to your server via SSH or log directly onto it’s console; and run the following command;

[box]mysqldump -u root -p NAME-OF-YOUR-DATABASE > data-dump.sql[/box]

Supply the password and a backup of the database will appear in the folder you are in, (download that also).

I don’t know the SQL Root Password? You can get the username and password that the SQL user uses, (again from the wp-config.php file, and use (mysqldump -u {username} -p {password} {database name} > data-dump.sql).

Restoring Your WordPress Data

Database

Now connect to your new WordPress site with your FTP/SFTP client, and upload the data-dump.sql file.

Connect to your site via SSH, and navigate to the directory you have just uploaded the data-dump.sql file to. You can import the data into your new database with the following command;

[box]mysqldump -u root -p NAME-OF-YOUR-DATABASE < data-dump.sql[/box]

Note: The command is the same as above, but note this time you use the ‘less than’ symbol.

Supply the root password for the destination SQL server.

Data

Restore the contents of your wp-content folder that you backed up earlier directly over the top of the wp-content directory on the new server.

Repeat for any other folders BUT NOT wp-admin or wp-includes.

What this does;

  • Restores your theme(s) and CSS files.
  • Restores your plugins.
  • Restores your WordPress users, and passwords
  • Restores all your posts/pages and media
  • Restores all comments.

Finally restore the files that are in the root of your website, (except the wp-config.php file, as I’m assuming the new site already has a new wp-config.php file with all the right settings in it). 

 

Can this be done any quicker? Yes if you use the BackWPup plugin, you can get it to do a backup of SQL for you, and backup all the files and folders in your site. I back these up to DropBox automatically, so every day they are already on my laptop, this saves me having to download everything. It also means I can rebuild my website if my web server breaks.

Related Articles, References, Credits, or External Links

NA

Exchange 2013 / 2016 / 2019 Default Receive Connector Settings

Default Receive Connectors KB ID 0001314 

Problem

Out of the box, Exchange 2016 (&2013) has five receive connectors. Three for the frontend transport service and two for the mailbox transport service.

  • Front End Transport Service: Does not alter, inspect, or queue mail. It is the first port of call for ALL mail coming into (and out of) the Exchange organisation. This service creates THREE receive connectors All are bound to 0.0.0.0 0.0.0.0, and all IPv6;
    • Client frontend {Server-Name} : listens on TCP 587 (Secure SMTP). It is generally only used for POP clients that are ‘Authenticated’, so are then able to send mail though the Exchange Org.
    • Default frontend {Server-Name}: Listens on TCP 25 (SMTP) and will allow Anonymous connections (by default). Note: Your  incoming mail, (from the public internet,) usually comes in through this connector.
    • Outbound proxy frontend {Server-name}: Confusingly this is actually a send connector and it’s only used if you have set your ‘send connector’ to proxy though one of your Exchange servers.
  • Mailbox Transport Service: Does NOT receive mail from clients it, (as the name implies),  routes mail from/to mailboxes from/to the frontend transport service. It is further broken down into;
    • Mailbox Transport Submission Service:
    • Mailbox Transport Delivery Service:
  • This creates two more receive connectors;
    • Client Proxy {Server-Name}: Listens on TCP 465.
    • Default {Server-Name}: Listens on TCP Port 25 (or 2525).

So what if someone ‘fiddles’ with them, or you are unsure if they are setup correctly?

 

Solution: Default Receive Connectors

Default Receive Connectors Settings

If you just want to check the settings in the Exchange Admin Center;

  • Client Frontend {Server-Name}
    • General Settings;
      • Name: Client Frontend {Server-name}
      • Connector Status: Enable
      • Protocol logging level: None
      • Maximum receive message limit size (MB): 36
      • Maximum hop local count: 12
      • Maximum hop count: 60
    • Security Settings;
      • Transport Layer Security (TLS)
      • Basic Authentication
        • Offer basic authentication only after starting TLS
      • Integrated Windows Authentication
    • Permission Groups;
      • Exchange Users
    • Scoping;
      • Remote network settings;
        • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        • 0.0.0.0-255.255.255.255
      • Network adaptor bindings;
        • (All Available IPv6) Port 587
        • (All Available IPv4) Port 587
      • FQDN: {The internal FQDN of your server}
  • Client Proxy {Server-Name}
    • General Settings;
      • Name: Client Proxy {Server-name}
      • Connector Status: Enable
      • Protocol logging level: None
      • Maximum receive message limit size (MB): 36
      • Maximum hop local count: 12
      • Maximum hop count: 60
    • Security Settings;
      • Transport Layer Security (TLS)
      • Basic Authentication
        • Offer basic authentication only after starting TLS
      • Integrated Windows Authentication
      • Exchange Server Authentication
    • Permission Groups;
      • Exchange Servers
      • Exchange Users
    • Scoping;
      • Remote network settings;
        • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        • 0.0.0.0-255.255.255.255
      • Network adaptor bindings;
        • (All Available IPv6) Port 465
        • (All Available IPv4) Port 465
      • FQDN: {The internal FQDN of your server}
  • Default {Server-Name}
    • General Settings;
      • Name: Default {Server-name}
      • Connector Status: Enable
      • Protocol logging level: None
      • Maximum receive message limit size (MB): 36
      • Maximum hop local count: 12
      • Maximum hop count: 60
    • Security Settings;
      • Transport Layer Security (TLS)
      • Basic Authentication
        • Offer basic authentication only after starting TLS
      • Integrated Windows Authentication
      • Exchange Server Authentication
    • Permission Groups;
      • Exchange Servers
      • Legacy Exchange Servers
      • Exchange Users
    • Scoping;
      • Remote network settings;
        • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        • 0.0.0.0-255.255.255.255
      • Network adaptor bindings;
        • (All Available IPv6) Port 2525
        • (All Available IPv4) Port 2525
      • FQDN: {The internal FQDN of your server}
  • Default Frontend {Server-Name}
    • General Settings;
      • Name: Default Frontend {Server-name}
      • Connector Status: Enable
      • Protocol logging level: None
      • Maximum receive message limit size (MB): 36
      • Maximum hop local count: 12
      • Maximum hop count: 60
    • Security Settings;
      • Transport Layer Security (TLS)
        • Enable domain security (mutual Auth TLS)
      • Basic Authentication
        • Offer basic authentication only after starting TLS
      • Integrated Windows Authentication
      • Exchange Server Authentication
    • Permission Groups;
      • Exchange Servers
      • Legacy Exchange Servers
      • Anonymous
    • Scoping;
      • Remote network settings;
        • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        • 0.0.0.0-255.255.255.255
      • Network adaptor bindings;
        • (All Available IPv6) Port 25
        • (All Available IPv4) Port 25
      • FQDN: {The internal FQDN of your server}
  • Outbound Proxy Frontend {Server-Name}
    • General Settings;
      • Name: Outbound Proxy Frontend {Server-name}
      • Connector Status: Enable
      • Protocol logging level: Verbose
      • Maximum receive message limit size (MB): 36
      • Maximum hop local count: 12
      • Maximum hop count: 60
    • Security Settings;
      • Transport Layer Security (TLS)
        • Enable domain security (mutual Auth TLS)
      • Basic Authentication
        • Offer basic authentication only after starting TLS
      • Integrated Windows Authentication
      • Exchange Server Authentication
    • Permission Groups;
      • Exchange Servers
    • Scoping;
      • Remote network settings;
        • ::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
        • 0.0.0.0-255.255.255.255
      • Network adaptor bindings;
        • (All Available IPv6) Port 717
        • (All Available IPv4) Port 717
      • FQDN: {The internal FQDN of your server}

Recreating Your Exchange Default Receive Connectors From Scratch

Note: We are talking about the default receive connectors here, if you have created any of you own, for mail relaying from a device for example, you would need to manually recreate these. Below we are going to delete all the default connectors, and recreate them with a PowerShell Script.

Download Recreate Default Exchange Receive Connectors Scripts

Optional: Take a backup of the default receive connectors settings to a text files. Run the ‘Backup-Connector-Settings.ps1‘ script. This will dump the settings to the root of the C: drive in ‘Current {Server-Name} {Connector-Name}.txt’ format.

You can now delete the default receive connectors (Warning: Notice I said default  receive connectors, this may or may not be all the connectors). 

Recreate the Default Receive Connectors: Run the  ‘Create-Default-Receive-Connectors.ps1‘ script. 

Optional: You can now output the settings of the new connectors, (why? So you can compare them to your original settings.) Run the ‘AFTER-Connector-Settings.ps1’ script. This will dump the settings to the root of the C: drive in ‘Receive {Server-Name} {Connector-Name}.txt’ format.

You can now compare differences, the only differences are usually the creation date, and the GUID.

 

Related Articles, References, Credits, or External Links

NA

Cisco – Joining Layer 2 Networks Over Layer 3 Networks

KB ID 0001313 

Problem

It’s a common problem, you want to connect one site to another and still have them on the same layer 2 network.

As you can see above both the routers at the bottom are in the 172.16.1.0/24 network, let’s assume they are clients in the same layer 2 network how would you connect them?

Solution

Option 1: xconnect over L2TP

All the ‘heavy lifting’ is done on the SiteA and SiteB routers. We will start with Site A. You create a pseudowire class, and specify the interface that will do the encrypting .

[box]

!
pseudowire-class CL-XCONNECT
 encapsulation l2tpv3
 protocol none
 ip local interface Ethernet 0/0
!

[/box]

Set the public (internet facing)  IP.

[box]

!
interface Ethernet0/0
 ip address 192.168.200.1 255.255.255.0
 no shut
!

[/box]

Finally setup the private, (LAN facing) interface, and specify the ‘other side’ of the encryption tunnel, (the internet facing interface at SiteB.) Then setup a unique ID.

[box]

!
interface Ethernet0/1
 description LAN
 no ip address
 xconnect 192.168.100.1 1 encapsulation l2tpv3 manual pw-class CL-XCONNECT
 l2tp id 1 2
!

[/box]

Site B is the mirror opposite;

[box]

!
pseudowire-class CL-XCONNECT
 encapsulation l2tpv3
 protocol none
 ip local interface Ethernet 0/0
!
interface Ethernet0/0
 ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/1
 description LAN
 no ip address
 xconnect 192.168.200.1 1 encapsulation l2tpv3 manual pw-class CL-XCONNECT
 l2tp id 2 1
!        

[/box]

To test you can use the ‘show l2tun tunnel all‘ command

Option 2: MPLS

Hang about! Isn’t MPLS very complicated? Well not for layer two networks. There are certain steps we have to take;

Backbone Routers (That will be Site A, SiteB, AND the ISP one.) We will need a loopback address, (don’t forget these addresses will need advertising into whatever routing protocol is running over the backbone).

[box]

Site A

!         
interface Loopback1
 ip address 192.168.255.4 255.255.255.255
!

Site B

!         
interface Loopback1
 ip address 192.168.255.3 255.255.255.255
!

ISP

!
interface Loopback1
 ip address 192.168.255.2 255.255.255.255
!

[/box]

Backbone Routers: Enable MPLS on all the interfaces that will pass traffic;

[box]

Site A

!
interface Ethernet0/0
 ip address 192.168.200.1 255.255.255.0
 mpls ip
!

Site B

!
interface Ethernet0/0
 ip address 192.168.100.1 255.255.255.0
 mpls ip
!

ISP

!
interface Ethernet0/0
 ip address 192.168.100.254 255.255.255.0
 mpls ip
!
interface Ethernet0/1
 ip address 192.168.200.254 255.255.255.0
 mpls ip
!

[/box]

Client facing interfaces:, (these can also be sub interfaces, if you are trunking). Need xconnect setting up, the syntax is as follows;

xconnect {ip of target loopback) {id-must-match-other-end} encapsulation mpls

[box]

Site A

!
interface Ethernet0/1
 description LAN
 no ip address
 xconnect 192.168.255.3 3000 encapsulation mpls
!


Site B

!
interface Ethernet0/1
 description LAN
 no ip address
 xconnect 192.168.255.4 3000 encapsulation mpls
!

[/box]

Option 3: VPLS

Virtual Private LAN Service, is pretty much designed to do exactly what we want, it let’s us stretch layer two networks to multiple points, let’s assume both my network segments (above) need to be in VLAN 300, so they share the same broadcast domain.

The setup process is similar to MPLS, you create a loopback interface on the backbone routers, advertise those addresses into the routing protocol of your choice, then you enable ‘mpls ip‘. But then, on the routers that face the clients you need to create a ‘vfi‘ (virtual forwarding instance,) then attach that VFI to the VLAN interface that the clients are connected to.

[box]

!
l2 vfi VPLS-300 manual
 vpn id 300
 neighbor 192.168.255.3 encapsulation mpls
!
interface Vlan300
 mtu 1600
 xconnect vfi VPLS-300
!

[/box]

Note: Obviously the physical interface connected to the clients, needs to be in VLAN 300, and don’t forget (at both ends), to make sure that vlan 300 is up (no shut).

To Test:

[box]

SiteA#show mpls l2transport vc 300

Local intf     Local circuit              Dest address    VC ID      Status
-------------  -------------------------- --------------- ---------- ----------
VFI VPLS-300   VFI                        192.168.255.3     300        UP

and

SiteA#show mac address-table vlan 300

Legend: * - primary entry
        age - seconds since last seen
        n/a - not available
        S - secure entry
        R - router's gateway mac address entry
        D - Duplicate mac address entry

Displaying entries from active supervisor:

     vlan   mac address    type   learn    age                 ports
----+----+---------------+-------+-----+----------+-----------------------------
*     300 0050.56ab.2eae  dynamic  Yes       90     VPLS peer 192.168.255.3(2:1)
*     300 0050.56ab.12ee  dynamic  Yes      340     VPLS peer 192.168.255.3(2:1)

[/box]

In the bottom example, you can see MAC addresses being learned form the ‘other’ sire of the VPLS link.

 

Related Articles, References, Credits, or External Links

NA

Microsoft PKI Planning and Deploying Certificate Services Part 3

KB ID 0001312

Problem

Following on from Part Two, now we have an offline Root CA, and a CRL server, our next step is defined by our PKI design, are we three tier, or two tier? (Look in Part One for a definition).

Solution

As previously mentioned, Microsoft just treats Intermediate CAs and Issuing CA’s as the same thing (SubCAs). So the next step is identical for either. But I would suggest one difference, If I was deploying an Intermediate CA, I would have “LoadDefaultTemplates=0” in the CAPolicy.inf file, and for an Issuing server I would not, (that’s just my personal preference).

I’m going to continue this piece for a two tier PKI deployment. And my next SubCA will be an Issuing CA.

Create your SubCA CAPolicy.inf file and save it to C:\Windows

[box]

[Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://pki.cabench.com/pki/cps.txt
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=15
CRLPeriod=weeks
CRLPeriodUnits=1
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0

[/box]

Launch Server Manager > Manage > Add Roles and Features.

Role Based > Next > Select the Local Server >Next > Active Directory Certificate Services > Add Features > Next.

No additional Features are Needed > Next > Next > Select Certification Authority > Optional*: Select Certificate Authority Web Enrolment > Next.

*Note: This gives you the nice registration website for certificates.

Next > Install > Close.

Configure Active Directory Certificate Services.

Next > Select ‘Certification Authority’ and ‘ Certificate Authority Web Enrolment’, if you selected it above > Next > Enterprise CA > Next.

Subordinate CA > Next > Create New Private Key > Next > Change the Hash algorithm to SHA256 > Next.

Give the CA a sensible Name > Next > Select ‘Save certificate request to a file on the target machine’ > Next.

Next > Next > Install > Close.

Note: The warning is fine, we haven’t installed the certificate yet, that’s our next step

Copy your certificate request file, (ending .req) and put it on your floppy drive. 

Note: I’m aware we are in the 21st century! I’m using virtual floppy drives.

Present the floppy drive to your offline Root CA and execute the following command;

[box]certreq -submit “A:\filename.req“[/box]

When prompted with the CA name > OK > Take a note of the RequestID you need this in a moment. (Leave the command window open!)

Open the Certificate Services Management Console > Server-name > Pending Requests > Locate your request > Issue the certificate.

Back at command line issue the following command;

[box]certreq -retrieve {RequestID}A:\SubCA.crt“[/box]

When prompted with the CA name > OK.

Check the certificate has appeared on your floppy drive, and present that back to your SubCA server > Open the Certificate Services Management console > Server-name > All Tasks > Install CA Certificate > Locate the cert  > Open.

Start the Service (If it errors at this point you may have a problem with your CRL server see the following link for a temporary workaround until you can fix the CRL).

Certificate Services – Disable CRL Checking

Troubleshooting: Open an MMC Snap-in and Add the Enterprise PKI snap-in to point you towards problems.

At this point I like to copy the Sub CA Cert to C:\Windows\Sytem32\Certsrv\CertEnroll. You should see the CRL for the SubCA already there (and maybe a delta CRL like the image below).

Now we are going to publish those into AD, open an administrative command window and issue the following commands;

[box]

cd  C:\Windows\Sytem32\Certsrv\CertEnroll
certutil -dspublish -f SubCA.crt SubCA
certutil –addstore –f root SubCA.crt
certutil –addstore –f root SubCA.crl
certutil -dspublish  SubCA.crl

[/box]

 

Restart Certificate Services;

[box]

net stop certsvc
net start certsvc

[/box]

Back in Certificate Services > Properties > Extension > Remove the http and file entries. NOT the ldap or the one that’s pointing to C:\Windows.

With CRL Distribution Point showing > Add > Type in http://pki.{your-domain}/pki/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl 

Note: You can add the variables in to avoid typing them, DON’T FORGET to put .crl on the end!

OK.

With your new URL selected, tick;

  • Include in CRLs. Clients use this to find DeltaCRL locations.
  • Include in the CDP extension of issued certificates.

Apply > OK > Services will Restart.

Once Again, click Add, this time type in the UNC path to your hidden PKI share on your CRL Server, e.g.

\\pki.{your-domain}\pki$\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl

Note: You can add the variables in to avoid typing them, DON’T FORGET to put .crl on the end!

OK.

With your UNC path selected, tick;

  • Publish CRLs to this location.
  • Publish Delta CRLs to this location.

Apply  > OK > Services will restart.

That’s your PKI environment stood up and ready to go, you may also want to setup OCSP, see the following article;

Microsoft Certificate Services Configuring OCSP

You can now issue certificates, some of the things you might want to consider setting up are;

Windows Server 2012 – Enable LDAPS

Deploying Certificates via ‘Auto Enrollment’

Windows Server 2012 – Secure RDP Access with Certificates

Install and Configure Certificate Enrolment Policy Web Service

Related Articles, References, Credits, or External Links

NA

WannaCry – Protect Yourself

KB ID 0001311 

Problem

Last Friday, the IT world was hit by another attack, WannaCry is a Ransomware infection, that exploits a hole in the windows SMB Protocol.

This hole was patched back in March, (Security update MS17-010) so if your, (windows update supported systems) have updates enabled, you will probably already be protected.

Why were big organisations like the NHS hit? Primarily because they have systems that are no longer supported, (or patched) by Microsoft. e.g. Windows XP, (support ended in 2014), and Windows Server 2003, (support ended in 2015). It happens because organisations have software that cannot run on more modern operating systems, so instead of migrating away from the software, Trusts continue to run old operating systems.

 

Solution

WannaCry Removal

If you are already infected, disconnect your affected machines from the network, Kaspersky has a tool that you can use.

Ransomware Removal

Microsoft Patches Windows XP and Server 2003

Although they have no requirement to do so, Microsoft has released patches for these legacy operating systems;

MS17-10 KB4012598 (WannaCry Patch)

Additional Steps

  1. Enable Windows Updates and wherever possible set it to automatically install updates. If you are a corporate customer, then get together a patching policy that has security updates tested and rolled out, in a matter of days.
  2. Backup your machines, the most effective defence if having your files backed up. So if you are infected, you can simply roll back to before the infection, and protect your machines.
  3. Be vigilant: Don’t click attachments in Emails unless you are 100% sure they are genuine.
  4. Local Firewalls: Turn them on (Start > Run > Firewall.cpl {enter}).
  5. Corporate firewalls: Block all inbound TCP 139 and TCP 445 traffic
  6. Run up to date AntiVirus and AntiMalware.
  7. Dont pay the ransom, don’t engage with the perpetrators.

 

Related Articles, References, Credits, or External Links

NA

Microsoft PKI Planning and Deploying Certificate Services Part 2

KB ID 0001310 

Problem

In Part One we deployed our offline Root CA Server, now we are going to deploy a ‘Certificate Revocation Location’ server.

Solution

Before you start:

Create a DNS record for ‘pki‘ that points to the IP address, that you will have the CRL web server hosted on.

I’m installing my CRL server on a separate web server because thats good practice. Starting with a domain joined member server, launch Server Manager > Manage > Add Roles and Features.

Role Based > Next > Select the Local Server > Next.

Select Web Server IIS > Add Features > Next > Next.

Next > No additional features are required > Next.

Next > Install > Close.

Create a Folder called PKI on the Root of your web server and share it as PKI$ (The dollar denotes hidden share).

Set the share permissions as follows;

  • SYSTEM: Full Control
  • Domain Admins: Full control
  • Cert Publishers: Change
  • Servers That Will Publish CRLs: Full Control

Launch Internet Information Services (IIS) > Server-name > Sites > Default Web Site > Add Virtual Directory.

  • Alias: PKI
  • Physical Path: C:\PKI

Select your new PKI directory > Edit Permissions.

  • Cert Publishers: Modify.
  • DefaultAppPool: Read and Execute.

Note: You cannot browse to DefaultAppPool > Change the source to local computer-name > type in the username ‘IIS AppPool\DefaultAppPool’.

For your PKI  Virtual Directory select ‘Configuration Editor’.

System.webServer > Security > requestFiltering > allowDoubleEscaping > Change to ‘True’ > Apply.

Now select ‘Directory Browsing’.

Enable.

At this point I copy in the .crl file you exported from your Offline Root CA. (I also copy in the RootCA certificate, so I know where I can get a copy!)

When you setup your CA Servers in the CAPolicy.inf file theres a section of the ‘Legal Policy Statement’ and the URL I used points to this server as well, (it was http://pki.cabench.com/pki/cps.txt). So create the cps.txt file in the same directory. To decide what text will go in the file, read RFC 7382.

The next most logical step depends on whether you are building a two tier, or three tier PKI environment. If it’s a three tier, then you are going to deploy your Intermediate Sub CA server next. If it’s a two tier then you are going to deploy your Issuing CA next.

Microsoft PKI Planning and Deploying Certificate Services Part 3

Related Articles, References, Credits, or External Links

NA

ADMT (Active Directory Migration Tool) Domain Migration – Part 4

KB ID 0001308 

Problem

On the homeward stretch now, back in Part Three, we migrated service accounts, groups, and users. Now we turn our attention to our machines.

Note ADMT 3.2 Only support the migration of Operating Systems up to Windows 7, (that doesn’t mean Windows 8 and Windows 10 wont work, it just means they are not supported). Migrating Windows 8 and 10 throws a lot of security translation errors, because of the way it treats ‘Apps’, so I’d recommend you do a LOT of testing before carrying out a live migration.

Solution

ADMT Computer Security Translation

Migrating computers is a two-step procedure, you do a security translation on a machine, then you migrate the machine. The security translation adds the security for the user(s) in newdomain.com to all the objects (files, folders, user profiles, and registry hives, etc) that their user account in olddomain.com did. like doing the service account migration (above) the plan is to get everything ready to ‘work’ before the machine is migrated.

Real World Note: This can take a while, (up to an hour for some machines,) and it’s best done without anyone being logged in (to prevent any profiles, or registry hives being locked). So take time to plan when this is done – rush it and you will have problems, and the very users who are too busy to be interrupted, are the very ones that shout the loudest if there’s a problem post migration. I would (if possible) have a stock of prebuilt machines on the new domain in case there’s any migration dramas, at least then you can get people working quickly.

This should be getting familiar by now, accept the defaults.

Select your computer(s) > Select all the options > SELECT ADD > Finish.

Agent Note: You are about to deploy the ADMT agent, make sure you have followed part one and part two. This process will be familiar if you carried out the service translation wizard earlier.

Run the pre check, and agent deploy.

What you will find after translation is all the profiles, and files etc will have the new domain users added alongside the old one with the same rights.

ADMT Computer Migration

Now finally to migrate the machines, ADMT > Computer Migration Wizard.

Select the computers.

Select the Target OU > Tick everything > Add > Select the amount of time to wait before rebooting the machine into the new domain.

Hang About Haven’t we done some of this? Yes, but because you have done the security translation already it can see the ACLs exist as it goes through and skips creating them.

As usual I’m not filtering any attributes > I’ll quit if theres a conflict > Migration should then complete.

Can I migrate Servers With ADMT?

Yes, but you need to have a good think about doing so first? For simple file and print servers that should be OK (Obviously back them up first etc). DONT try and do this with an Exchange server, or any other server that relies on Active directory for its very existence! And wherever possible if you can create clean new servers and migrate your data into them do so!

 

What about Microsoft Exchange and User Mailboxes?

I mentioned Exchange briefly on the user migration, Exchange migrations between domains, are possible, depending on your setup it may be easier to export all the mail form the old system and import it into the new one (use the search bar above. I’ve already written a load of stuff about doing this). In the not to distant future I’ll cover Exchange Inter Organisation Mail migrations.

Readers Note:

As with all the articles here, please provide feedback below, if one thing you have found can save another reader sweat and toil, then that’s the very reason for this site! If you have been with this since part one thanks for staying till the end (PL).

Related Articles, References, Credits, or External Links

NA

Microsoft PKI Planning and Deploying Certificate Services

KB ID 0001309

Problem

“I don’t know what it is about Certificates, I just don’t like them, I don’t understand them, and I don’t like working with them”

I hear this a lot, In fact I heard it this week, and as I’m usually the ‘go-to-guy’ for certificates and PKI, it winds me up! IT pros take the time to learn concepts like DNS, DHCP, Kerberos etc. But mention Certificate Services and heads disappear below monitors and silence decends.

OR WORSE: Someone adds the role, clicks Next > Next > Next > Job done! Lets have tea and medals!

So in typical PNL fashion lets simplify everything, get everyone on the same page. And most importantly, lay out how to do it so I don’t have to do it for you!

Solution

To design PKI well, you need to decide if you want a two or three tier PKI environment. 

What can’t I just have one CA Server? (Hmm your the Next > Next > Next > Job Done Person Eh?) Well you can! But if that one server breaks, (or get compromised.) Then you are in trouble. Plan you deployment properly and save yourself a headache.

Two Tier Or Three Tier PKI? That’s your call, The main advantage of three tier PKI is, if one of your issuing servers, is compromised, you don’t need to bring the offline Root CA back online to re-issue its certificate. I have a client who have an issuing server in their DMZ so this was a good fit for them. For most domains Two Tier is the best option.

So I can only have one issuing Server? No, I just put one on the diagram for simplicity, you can have 1, or 100, or 1000, it’s up to you.

Do I need CRL (Certificate Revocation List) and/or OCSP (Online Certificate Status Protocol) On a Separate Server? Strictly speaking No, but it’s considered good practice, and if you need to advertise a CRL externally, it is more secure. 

PKI Terminology Differences

You will notice I’ve mentioned a Root CA, an Intermediate CA, and an Issuing CA. This is to better explain the architecture and define a difference between an Intermediate CA, and an Issuing CA. Microsoft does not care,.Both of those servers are SubCA servers in Microsoft speak. 

Deploying an Offline Root CA

Whichever architecture you choose this will be your fist step. The offline Root CA is a non domain joined machine, its sole job is to issue SubCA certificates to your intermediate CAs (three tier PKI), or issuing CAs (two tier PKI). When you have finished you power off the Offline Root CA and keep it off.

Note: In my example I want my Root CA Cert to last 20 years

Before You Install Anything: Create a CAPolicy.inf file you can edit it with notepad. You may want to change the validity period, you certainly will need to change the legal notice URL (more on this later) to your own domain FQDN (Note: If you need people outside your organisation, (either at a partner, or just someone the public internet) to see that, ensure that URL is addressable.

Sample Offline Root CA CAPolicy.inf

[box]

[Version]
Signature="$Windows NT$"
[PolicyStatementExtension]
Policies=InternalPolicy
[InternalPolicy]
OID= 1.2.3.4.1455.67.89.5
Notice="Legal Policy Statement"
URL=http://pki.cabench.com/pki/cps.txt
[Certsrv_Server]
RenewalKeyLength=2048
RenewalValidityPeriod=Years
RenewalValidityPeriodUnits=20
CRLPeriod=weeks
CRLPeriodUnits=26
CRLDeltaPeriod=Days
CRLDeltaPeriodUnits=0
LoadDefaultTemplates=0

[/box]

Save the CAPolicy.inf file to C:\Windows, Make sure it’s not called Capolicy.inf.txt, (or it wont work).

Launch Server Manager > Manage > Add Roles and Features.

Role Based >  Next > Select the local server > Next  > Select ‘Active Directory Certificate Services’ > Add Features  > Next.

No other features are required > Next > Next > Certification Authority > Next.

Next > Next > Close.

Configure Active Directory Certificate Services.

Accept the default (local administrator) > Next > Certification Authority > Next.

Stanalone CA > Next > Root CA > Next.

Create a new private key > Next > Make sure the hash algorithm is SHA 256 (NOT SHA1) > Next.

Give the CA a sensible name > Next > Set the validity period (as mentioned above I’m going for 20 years) > Next.

All the default can now be accepted > Next > Next > Close.

Launch the Certification Authority Management console and make sure we have a green tick.

Now we need to ‘Stamp’ Certificates issued by this CA Server with some domain information, but we have no connection to the domain, so we need to do it manually. Open an administrative command window and execute the following commands;

Note: I want my SubCA certificate to be valid for 15 years, if you want longer/shorter then adjust the figures below

[box]

Certutil –setreg CA\DSConfigDN “CN=Configuration,DC=cabench,DC=com”

Certutil –setreg CA\CACertPublicationURLs “1:C:\Windows\system32\CertSrv\CertEnroll\%1_%3%4.crt\n2:ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11\n2:http://pki.cabench.com/pki/%1_%3%4.crt”

Certutil –setreg CA\CRLPublicationURLs “1:C:\Windows\system32\CertSrv\CertEnroll\%3%8%9.crl\n10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10\n2:http://pki.cabench.com/pki/%3%8%9.crl”

Certutil –setreg CA\CRLPeriodUnits 52 

Certutil –setreg CA\CRLPeriod “Weeks” 

Certutil –setreg CA\CRLOverlapPeriodUnits 12 

Certutil –setreg CA\CRLOverlapPeriod “Hours” 

Certutil –setreg CA\ValidityPeriodUnits 15 

Certutil –setreg CA\ValidityPeriod “Years” 

Certutil –setreg CA\AuditFilter 127

net stop certsvc

net start certsvc

Certutil –crl

[/box]

Now my Offline Root server is not connected to a network, (because that’s best practice,) and as it’s a virtual machine the only way to get files from it is to use a virtual floppy drive, Im going to copy both my Root CA Certificate and CRL file to my floppy drive.

[box]Copy C:\Windows\System32\Certsrv\CertEnroll\*.* A:\[/box]

Now TAKE THESE FILES TO A DOMAIN JOINED MACHINE, and execute the following commands.

[box]

cd a:\
certutil -dspublish -f 01-Root-CA_ROOT-CA.crt RootCA
certutil –addstore –f root 01-Root-CA_ROOT-CA.crt
certutil –addstore –f root ROOT-CA.crl
certutil -dspublish  ROOT-CA.crl

[/box]

Note: These command publish the CA Certificate, (and its CRL) into Active Directory. You can see where, if you open the path shown in the example in ADSIEdit.msc (CN=Public Key Services, CN=Services, CN=Configuration, DC={forest root domain})

See Microsoft PKI Planning and Deploying Certificate Services Part 2

Related Articles, References, Credits, or External Links

NA

ADMT (Active Directory Migration Tool) Domain Migration – Part 2

KB ID 0001306

Problem

Back in Part One we setup our migration admin account, and installed ADMT. Now, as I’m going to migrate the users passwords I need a ‘Password Export Server‘, but first I need to tackle the subject of user SIDs

 

Solution

Domain Migrations and SID Filtering

Every user has a SID (Security Identifier) it’s the thing AD uses to refer to and apply security to users, (and other objects). This is why you can rename a user and it’s security does not change, (because the SID always remains the same). Why is this important for domain migrations? Well if you’re a doing a migration that’s taking place over a period of time, users in the NEW domain may still need access to things IN the OLD domain, (like file shares, printers, applications etc).  

This is a problem because when you setup a domain trust it Enables SID filtering, back in part one it told you this, here. So if a user in newdomain.com tries to access a folder, (they could access before the migration,) in olddomian.com they wont be able to do so, (because their SID has changed, to a new SID in the new domain. Even if you migrated their old SID if get’s filtered out as the user comes back over the trust).

How do we fix that? We need to do two things, 

  • Migrate the users old SID to newdomain.com (This then become their, sIDHistory attribute)
  • Disable SID filtering in  olddomain.com (To allow the sIDHistory attributes to come back over the trust)

This lets users in the new domain have their NEW SID, and their OLD SID.

Migrating the users SID is simple, (it’s just a box you tick when running a migration, you will see that later). Disabling SID filtering can be a little confusing. Where do you do it, and which way round do you execute the command? Above I’ve solved the first one for you you Disable SID Filtering on the OLD domain. The following diagram will explain why;

Usually users DON’T have a sIDHistory. attribute, (unless they’ve been migrated before!) They only have a SID (objectSID attribute.) To demonstrate let’s jump forward in time, and look at a migrated user (ABarksdale)

Click to enlarge the above image, and inspect the users SID (objectSID) and old SID (sIDhisttory) attributes.

In the olddomain.com;

objectSID: S-1-5-21-227018303-3265311450-382577

sIDHistory: {None}

In the newdomain.com;

objectSID: S-1-5-21-3846632479-19853633304-4016520

sIDHistory: S-1-5-21-227018303-3265311450-382577 (Note: objectSID migrated from olddomain.com)

Disabling SID Filtering

Now we know where to do it, we just need to construct the command to disable it. Run the following command;

[box]netdom trust {source-domain} /domain:{target-domain} /quarantine:No userro:{username} password:{password}[/box]

Or for a Forest Trust

[box]netdom trust {source-domain} /domain:{target-domain} /enablesidhistory:Yes /userD:{username} /passwordD:{password}[/box]

So in my example;

  • source-domain: olddomain.com
  • target-domain: newdomain.com
  • username: (Domain administrator in olddomain.com)
  • password: Password for user above.

ADMT: Setting up a Password Export Server

As the name implies, this is a piece of software that runs on the source domain, (on a domain controller,) that ADMT uses to migrate user passwords. Before you can do this, you need to create a ‘key’ in the NEW domain, (where ADMT is running). Then, you use that key to setup the password export server in the OLD domain.

On the ADMT Server open an administrative command window and issue the following command;

[box]admt key /option:create /sourcedomain:{source-domain} /keyfile:”C:\PES.pes” /keypassword:{password}[/box]

So in my example;

  • source-domain: olddomain.com
  • keyfile: Where you want to save the keyfile.
  • password: can be anything you want, but you will need it to setup the password export server, so don’t forget it.

If it runs OK, find your keyfile, then copy this to the domain controller in the old domain you are going to install the password export server service on.

Theres two versions of the password export server software, (a 32 bit and a 64 bit version.) Download and install the version applicable to your source domain controller.

Passport Export Server 64 bit version

Passport Export Server 32 bit version

Note: The install requires a reboot of the server, you might want to do this at the end of the day.

The install is pretty simple, Accept the EULA, browse to the keyfile, and enter the password you used above.

 

Specify a user account to run the service as, (I just use the ADMTAdmin account we’ve already created).

Finish the install, and let it reboot.

After a reboot, if you look in the services (Start > Run > services.msc). You will see the ‘Password Export Server Service’.

Note: You will also notice the startup type for the service is ‘Manual’. ONLY start this service, when you are actually migrating passwords.

ADMT: Granting Local Rights to ADMT user in the Source Domain.

To migrate machines, the ADMTAdmin user needs “Local” administrative access on all the source machines. The easiest way to do this is via group policy, using ‘Restricted Groups’.  This allows you to take a group (or user) and put put them on the local groups (including administrators) of the targeted machines.

In the OLD domain, create a group and put the ADMTAdmin from the target domain in it. (I put the domain admin from the target domain in it as well, to be on the safe side, but that’s up to you).

Note: You may see this a few times while doing migrations, notice above the user icon there’s a small red curved arrow (below), that logo denotes ‘Foreign Security Principle’, it’s not really our user at all, it’s a special object that AD creates in a hidden OU, (turn on advanced mode in AD users and computers you can see them.)

Create a new GPO that will apply to the computers/servers you are going to migrate. 

Edit it.

Navigate to;

[box]Computer Configuration > Policies  >Windows Settings > Security Settings > Restricted Groups[/box]

Add a new one, select the group you have just created > and add it to ‘Administrators’.

It should look like this when you are finished.

Windows – Forcing Domain Group Policy

To test it has applied,  on a client run ‘gpresult  -R’ at an administrative command prompt.

You can of course, simply check the local administrators group to  make sure the new group is in there.

ADMT: Additional GPO Note

To perform computer migrations, (and security translations), ADMT needs to deploy an ‘agent’ to the machines in the OLD domain. The local firewall (if enabled) can stop this, I simply disable the local firewall. (If someone wants to send me a list of ports to add, to make it work I’ll publish the). But even the Microsoft Documentation on Technet says disable the firewall.

Create a new GPO linked to where your source computers are, (here I’m just linking to the root of the domain).

Edit the GPO.

Navigate to;

[box]Computer Configuration >Policies  > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile[/box]

Locate “Windows Firewall protect all network connections‘ and set it to disabled.

Windows Group Policy – Disable The Local Windows Firewall

In addition I have also seen the agent fail to deploy if the ‘Remote Registry Service’ is not running on the target machines, (it’s disabled by default). So I use this policy to turn that on as well.

In the same GPO navigate to;

[box]Computer Configuration > Polices > Windows Settings > Security Settings > System Services[/box]

Locate the ‘Remote Registry’ service, and set it’s startup to automatic.

This may take a while to permeate down to all the machines, Windows – Forcing Domain Group Policy

 

In Part Three we will start migrating objects.

Related Articles, References, Credits, or External Links

NA